PCI-DSS compliance in QuickStream
The Payment Cards Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements. The PCI Security Standards Council was founded by the major card brands, and it maintains these requirements to protect account data.
A set of industry-mandated requirements for any business involved in payment card processing. This includes merchants, acquirers and service providers.
PCI DSS specifies 12 requirements for protecting account data. It covers security technologies and business practices for securing information.
Read more about PCI compliance on the PCI Security Standards Council's website.
PCI-DSS compliance levels
There are four levels of PCI compliance. Each level indicates the level of risk and exposure of cardholder data. The highest level of compliance is Level 1 and the lowest is Level 4.
Read more about PCI levels on the major card brands websites:
Your merchant classification according to the PCI DSS will be determined at the discretion of Westpac.
Self-Assessment Questionnaires
PCI-DSS Self-Assessment Questionnaires (SAQs) are self-assessed validation tools. SAQs help you determine if your payment processing setup is PCI compliant. You normally complete this annually.
There are many SAQ types that can apply to your payment card processing environment. The types do not apply to a single product or service.
There are tools that can assist you achieve PCI DSS compliance if you determine your environment to be non-compliant. Read more about the Prioritized Approach to PCI DSS.
How you integrate with QuickStream can determine which SAQ you could possibly complete.
Search the PCI Security Standards Council Document Library for SAQs.
Your requirements
QuickStream securely stores and processes card data for you. But this does not fulfil all your PCI compliance requirements. All businesses must still complete an SAQ. Failing to complete your SAQ may result in fines and a stop to your ability to accept card payments.
You may enlist the services of a Qualified Security Assessor (QSA) to help you with your PCI compliance requirements. QSAs are independent security individuals or businesses. A QSA is qualified by the PCI Security Standards Council to validate your adherence to the requirements. A QSA can help you choose the right SAQ for your business and assist with remediation if required.
Compliance in QuickStream
QuickStream securely stores and processes card data for you. QuickStream is hosted and maintained by Qvalent Pty Ltd, a wholly owned subsidiary of Westpac Banking Corporation. Qvalent is a Level 1 PCI DSS Compliant Service Provider.
You can use the following table to help you pick a card payment solution. These suggestions are only valid for one listed payment channel above and assume you only have one of these card payment solutions. Remember, to get a definitive answer refer to your Qualified Security Assessor (QSA).
SAQ | QuickStream Service Suggestion |
---|---|
A | |
A-EP | |
CVT | |
D |
Account tokens
The goal of tokenization is to replace a payment card number with a non-sensitive value. This is an account token. An account token is a unique identifier for a payment account stored in QuickStream.
It is a shared identifier. This means your system and QuickStream will both agree to use it when referring to a payment account.
QuickStream can generate an account token when you register payment account. This process is called Tokenization. Implementing a tokenization solution may impact the scope of your PCI compliance.
QuickStream has 4 recommended account token formats. Account tokens in this format are generated by default. You can use other formats adhering to the PCI Council's Tokenization Guidelines. We recommend against using a format that contains the first 6 digits and the last 4 digits of the payment card. If you choose to use this format, the middle digits should be alphanumeric.
Find out more
If you have any additional questions about PCI DSS, please refer to
- the PCI Security Standards Council's website.
- your Qualified Security Assessor (QSA).
- Westpac directly via email pci@westpac.com.au.
To report a security concern or vulnerability email security@qvalent.com.
If you have any questions about QuickStream, contact quickstream@qvalent.com.
Disclaimer
Qvalent is not your Qualified Security Assessor (QSA) and we provide this information without knowledge of your environment or your business processes. These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. They should not be forwarded to any other party without Westpac's written consent. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness. Contact Westpac directly via email pci@westpac.com.au